Merge pull request #5632 from chaen/rel-v7r3_doc_installHTTPs

[v7r3] Proper documentation for HTTPs services

Author: fstagni

docs/source/AdministratorGuide/ServerInstallations/HTTPSServices.rst

@@ -0,0 +1,194 @@
+.. _https_services:
+
+==================================
+Installing HTTPs services in DIRAC
+==================================
+
+.. contents::
+
+Background
+**********
+
+For many years, DIRAC services have been exposed through the historical DISET (``dips://``) protocol.
+Few years ago DIRAC developers started exposing DIRAC services using the HTTPs protocol.
+This page explains how to migrate existing DIPs protocol to HTTPs. For a developer view, refer to :ref:`httpsTornado`.
+
+For a summary presentation you can check `this <https://indico.cern.ch/event/852597/contributions/4331720/attachments/2241040/3799728/HttpsInDIRAC.pdf>`_.
+
+NB: not all DIPs services can be exposed through HTTPs. For a comprehensve list, please refer to :ref:`scalingLimitations`.
+
+General principle
+=================
+
+Contrary to the DISET protocol where each service would have its own process and port opened, HTTPs services are served by a unique process and port, based on Tornado.
+
+There are exceptions to that, due to the use of global variables in some parts of DIRAC. Namely:
+
+* Master CS
+
+All other services can follow the standard procedure described below.
+
+First, the following configuration subsections have to be added to CS::
+
+  # "Main" section
+  DIRAC
+  {
+    Setups
+    {
+      ...
+      Tornado = Production
+    }
+  }
+
+  # Add Tornado to Systems section
+  Systems
+  {
+    ...
+    Tornado
+    {
+      Production
+      {
+        Port = 443
+      }
+    }
+  }
+
+
+Installation of an HTTPs based service
+======================================
+
+This procedure is to be used if you are want to serve a new service with HTTPs.
+
+
+Case 1: you do NOT run the equivalent DISET service
+---------------------------------------------------
+
+This is the most trivial case. Just run ``dirac-install-tornado-service`` with the service you are interested in. This will install an ``runit`` component running ``tornado-start-all``.
+
+Case 2: you run the equivalent DISET service
+--------------------------------------------
+
+Because the CS already contains the handler definition for DISET, ``dirac-install-tornado-service`` will not modify it. Thus, you have to update it yourself, before running the command, otherwise ``tornado-start-all`` will not find any service to run, and the installation will be shown as failed.
+
+Procedure:
+
+#. Update by hand the CS of the desired service:
+
+  * Remove the port definition
+  * Modify the handler to point to the Tornado handler
+  * add ``Protocol=https``
+
+The example the follows is for the "DIRAC File Catalog" (DFC) service. This would normally be in CS as::
+
+  Systems
+  {
+    ...
+    DataManagement
+    {
+      Production
+      {
+        URLs
+        {
+          ...
+          FileCatalog = dips://my.server.org:9197/DataManagement/FileCatalog
+        }
+        Services
+        {
+          ...
+          FileCatalog
+          {
+            ...
+            Port = 9197
+            Protocol = dips
+            ...
+          }
+        }
+        ...
+      }
+    }
+  }
+
+
+And you need to change it to::
+
+  Systems
+  {
+    ...
+    DataManagement
+    {
+      Production
+      {
+        URLs
+        {
+          ...
+          FileCatalog = https://my.server.org:8443/DataManagement/FileCatalog
+        }
+        Services
+        {
+          ...
+          FileCatalog
+          {
+            ...
+            Protocol = https
+            HandlerPath = DIRAC/DataManagementSystem/Service/TornadoFileCatalogHandler.py
+            ...
+          }
+        }
+        ...
+      }
+    }
+  }
+
+
+#. Run ``dirac-install-tornado-service`` or restart the tornado component if already running.
+
+.. note::
+  This means that from now on, the DISET service cannot be restarted anymore, as its configuration would be wrong.
+  So, go ahead and remove (by hand, for now) the `runit`-related directories of the DISET service.
+
+Example of configuration before/after:
+
+.. literalinclude:: /../../src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg
+   :start-after: ##BEGIN JobMonitoring
+   :end-before: ##END
+   :dedent: 2
+   :caption: JobMonitoring configuration for DISET
+
+.. literalinclude:: /../../src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg
+   :start-after: ##BEGIN TornadoJobMonitoring
+   :end-before: ##END
+   :dedent: 2
+   :caption: JobMonitoring configuration for HTTPs
+
+In any case, do not forget to update the URL of the service you just installed, such that other services can reach it.
+
+
+Adding more tornado instances on a different machine
+====================================================
+
+Simply use ``dirac-install-tornado-service`` with no arguments on the new machine.
+
+
+MasterCS special case
+=====================
+
+The master Configuration Server is different and needs to be run in a separate process. In order to do so:
+
+* Do NOT specify ``Protocol=https`` in the service description, otherwise it will be ran with all the other Tornado services.
+* If you run on the same machine as other TornadoService, specify a ``Port`` in the service description (you can keep the existing 9135, if already there).
+* Modify the content of the Configuration so that URLs are updated to use HTTPs instead of DIPs.
+* Add `HandlerPath = DIRAC/ConfigurationSystem/Service/TornadoConfigurationHandler.py` in the etc/dirac.cfg configuration file of the machine where the master CS is running (needed for bootstrap).
+
+Finally, there is no automatic installations script. So just install a CS as you normally would do, and then edit the ``run`` file like that::
+
+  #!/bin/bash
+    rcfile=/opt/dirac/bashrc
+    [ -e $rcfile ] && source $rcfile
+    #
+    export DIRAC_USE_TORNADO_IOLOOP=Yes
+    exec 2>&1
+    #
+    [ "service" = "agent" ] && renice 20 -p $$
+    #
+    #
+    exec tornado-start-CS -ddd

docs/source/AdministratorGuide/ServerInstallations/index.rst

@@ -12,6 +12,7 @@ This sections constains the documentation for installing new DIRAC Servers or se
 
    InstallingDiracServer
    InstallingWebAppDIRAC
+   HTTPSServices
    centralizedLogging
    rabbitmq
    scalingAndLimitations

docs/source/DeveloperGuide/TornadoServices/index.rst

@@ -17,6 +17,7 @@ This page summarizes the changes between DISET and HTTPS. You can all also see t
 - `Presentation of HTTPS migration <https://docs.google.com/presentation/d/1NZ8iKRv3c0OL1_RTXL21hP6YsAUXcKSCqDL2uhkf8Oc/edit?usp=sharing>`_.
 - `Summary presentation (latest) <https://indico.cern.ch/event/945474/>`_.
 
+For installing HTTPs services, please refer to :ref:`https_services` administration page.
 
 
 *******
@@ -147,29 +148,8 @@ Options available are:
 
 This start method can be useful for developing new service or create starting script for a specific service, like the Configuration System (as master).
 
-
-MasterCS special case
-*********************
-
-The master CS is different because it uses the same global variable (``gConfig``) but uses it also to write config. Because of that, it needs to run in a separate process. In order to do so:
-
-* Do NOT specify ``Protocol=https`` in the service description, otherwise it will be ran with all the other Tornado services
-* If you run on the same machine as other TornadoService, specify a ``Port`` in the service description
-
-Finally, there is no automatic installations script. So just install a CS as you normally would do, and then edit the ``run`` file like that::
-
-  diff --git a/run b/run.new
-  index d45dce1..f5f3b55 100755
-  --- a/run
-  +++ b/run.new
-  @@ -7,6 +7,6 @@
-    [ "service" = "agent" ] && renice 20 -p $$
-    #
-    #
-  -  exec python $DIRAC/DIRAC/Core/scripts/dirac-service.py Configuration/Server --cfg /opt/dirac/pro/etc/Configuration_Server.cfg < /dev/null
-  +  export DIRAC_USE_TORNADO_IOLOOP=Yes
-  +  exec tornado-start-CS -ddd
-
+The master CS is different because it uses the same global variable (``gConfig``) but uses it also to write config. Because of that, it needs to run in a separate process.
+It needs to be started with ``tornado-start-CS`` script.
 
 
 TransferClient
@@ -355,9 +335,17 @@ Two special python packages are needed:
 Install a service
 *****************
 
+Initial install: first modify one config (with port and so on) before running ``tornado-install``
+
 ``dirac-install-tornado-service`` is your friend. This will install a runit component running ``tornado-start-all``.
 Nothing is ready yet to install specific tornado service, like the master CS.
 
+Migrate from dips to https
+**************************
+
+comment out port, set Protocol = https, change handler
+
+
 Start the server
 ****************
 

src/DIRAC/FrameworkSystem/scripts/dirac_install_tornado_service.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 """
-Do the initial installation and configuration of a DIRAC service based on tornado
+Do the initial installation and configuration of a DIRAC service based on tornado. If the component is not specified, just install Tornado as such (note that the installation will fail if there are no suited services in the CS)
 """
 
 from __future__ import absolute_import
@@ -62,35 +62,39 @@ def main():
         (
             "System/Component: Full component name (ie: WorkloadManagement/Matcher)",
             "System:           Name of the DIRAC system (ie: WorkloadManagement)",
-        )
+        ),
+        mandatory=False,
     )
     Script.registerArgument(" Component:        Name of the DIRAC service (ie: Matcher)", mandatory=False)
     Script.parseCommandLine()
     args = Script.getPositionalArgs()
 
-    if len(args) == 1:
-        args = args[0].split("/")
-
-    if len(args) != 2:
-        Script.showHelp()
-        DIRACexit(1)
-
-    system = args[0]
-    component = args[1]
-
-    result = gComponentInstaller.addDefaultOptionsToCS(
-        gConfig,
-        "service",
-        system,
-        component,
-        extensionsByPriority(),
-        specialOptions=specialOptions,
-        overwrite=overwrite,
-    )
+    # If we specify a service, add its
+    if args:
+        # System/Component
+        if len(args) == 1:
+            args = args[0].split("/")
+
+        if len(args) != 2:
+            Script.showHelp()
+            DIRACexit(1)
+
+        system = args[0]
+        component = args[1]
+
+        result = gComponentInstaller.addDefaultOptionsToCS(
+            gConfig,
+            "service",
+            system,
+            component,
+            extensionsByPriority(),
+            specialOptions=specialOptions,
+            overwrite=overwrite,
+        )
 
-    if not result["OK"]:
-        gLogger.error(result["Message"])
-        DIRACexit(1)
+        if not result["OK"]:
+            gLogger.error(result["Message"])
+            DIRACexit(1)
 
     result = gComponentInstaller.addTornadoOptionsToCS(gConfig)
     if not result["OK"]:

src/DIRAC/WorkloadManagementSystem/ConfigTemplate.cfg

@@ -17,6 +17,7 @@ Services
       Default = authenticated
     }
   }
+  ##BEGIN JobMonitoring
   JobMonitoring
   {
     Port = 9130
@@ -25,6 +26,8 @@ Services
       Default = authenticated
     }
   }
+  ##END
+  ##BEGIN TornadoJobMonitoring
   TornadoJobMonitoring
   {
     Protocol = https
@@ -33,6 +36,7 @@ Services
       Default = authenticated
     }
   }
+  ##END
   JobStateUpdate
   {
     Port = 9136